Using Anthropology to study
Security Incident Response
Raj Rajagopalan
Xinming Ou
Kansas State U
FIRST 2014
June 25, 2014
The Team
Sathya Chandran, Mike Wesch, Simon Ou (KSU)
John McHugh (RedJack) Dan Moor (HP)
Raj Rajagopalan (Honeywell)
Partially supported by an NSF grant. Opinions are those of the authors.
SOCs and CSIRTs are the heart
of our cyber defense
and yet
we cannot articulate
how they thrive
E.g. We don’t know
how to make incident handling
more automated
how to train new analysts quickly
how to share knowledge
To do this
we have to know what makes a
SOC/CSIRT really work
But don’t we know that already?
But first a little story…
Back in 2006
a group of intrepid security researchers
were on a mission to find out
how to build an effective IDS
So they went to the nearest SOC/CSIRT
which happened to be the one on campus
What did they learn?
What we saw
We observed the SOC handle a malware
incident affecting campus servers.
What we saw was not what we expected
What we saw
SOC analysts don’t use high tech tools!
Most of the work is grubby manual work
Most of the analysis is based on
personal experience
What we learned
Security analysis is a people problem
more than a technology problem!
Academic security research is wellseparated from the practice of cyber
Vendors to the SOC were not doing
much better.
What we did
We asked the SOC analysts how they
did their jobs
How did that work?
Not well.
What did we miss?
What we set out to observe
What we became
Time for Reflection
The researchers could not get time of day from the
SOC staff
SOC personnel were too busy and too suspicious
SOC skills are learned primarily via a masterapprentice model
The researchers were on the outside looking in!
The Professional Observer
Dr. Mike Wesch, Socio-cultural Anthropologist
to the rescue!
Introduction to Anthropology
The study of
all people
in all times
in all places
See the big picture and the small picture
at the same time.
What we think Anthropologists do!
Other things Anthropologists do
What Anthropology teaches us
Get rid of your familiar biases!
How did we apply Anthropology to studying CSIR?
Our Embeds
1. Worked initially on the sidelines
2. Built tools for the SOC analysts
3. Gained the trust of SOC analysts
4. Co-created tools with the SOC analysts
over the course of 18 months!
What does Anthropology tell us about studying the
People know more than they can tell
Knowledge is held in the community
Converting tacit knowledge to explicit knowledge
requires systematic study.
It is not enough to live there.
You have be one of them.
Participant observation is the key.
Knowledge comes when the observer achieves
the perspective of the observed.
The key is to record that journey.
How to observe what is being said
Setting and Scene
Act Sequence
Key (tone, manner, or spirit of the event)
Instrumentalities (forms and styles used)
Norms (social rules governing the action)
it’s not what’s being said …
it’s what what’s being said says
What we learned when we applied Anthropological
1. SOC analysts’ knowledge is very tribal, there is no
alternative to experience.
2. Analysts are not always aware of their own knowledge,
which comes out in interactions.
3. It is necessary and possible to become a SOC “insider”
to learn how it really works
4. SOC management need to empower and incentivize
knowledge sharing among analysts
5. Tool co-creation is the best way to transfer technology
into a SOC
Some short-term outcomes of our Anthropological
work so far
SOC staff discuss their problems with the
researchers today
Our participant observer built a tool for a unique
problem they were facing.
A SOC analyst participated in the tool design.
The solution did not require sophisticated or new
The solution reduced the time spent dramatically.
The SOC uses the tool!
Is Anthropology necessary?
The SOC is a unique socio-cultural environment
where the activity is very human-centric.
SOC culture is closed and suspicious by necessity.
A short or superficial look at SOC operations
would have been misleading.
We have to separate the problems rooted in
human behaviors from the technology.
Anthropology give us a methodology to conduct
long-term human-oriented study.
Further work
We have an upcoming article in IEEE Magazine
Special Issue on CSIRTs.
The systematic work was limited to one SOC in a
university environment.
We have now expanded the study to include two
corporate SOCs.
We need to conduct the study at more SOCs.
An Invitation to the FIRST Community
We would like to invite participation from the FIRST
community SOCs/CSIRTs.
Study participation can benefit both the participating
SOC/CSIRT and the community.
What we hope to achieve in the long run
Deeper understanding of how security analysis
works by converting tacit knowledge into explicit
Learn to make our SOC/CSIRT more effective
Learn to train our analysts better
Create a SOC/CSIRT community that learns to
observe itself and share better
How and when we share knowledge
in our communities
is not so different after all

similar documents